Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / d13c1c64387ca9a83bb832a3faa5c4b07268d265^! / . / metropolis / node / kubernetes / apiserver.go
commitd13c1c64387ca9a83bb832a3faa5c4b07268d265[log] [tgz]
authorLorenz Brun <lorenz@monogon.tech>Wed Mar 30 19:58:58 2022 +0200
committerLorenz Brun <lorenz@monogon.tech>Tue Apr 05 10:35:29 2022 +0000
tree0c0f534db4726e4400486aad25235e8c573d455e
parent79a1a8f9dd49afe8e0a2364c4586b8f39525b204 [diff] [blame]
treewide: switch to gomod and bump everything

This switches version resolution from fietsje to gomod and updates
all Go dependencies. It also bumps rules_go (required by gVisor) and
switches the Gazelle naming convention from go_default_xxx to the
standard Bazel convention of the default target having the package
name.

Since Kubernetes dropped upstream Bazel support and doesn't check in
all generated files I manually pregenerated the OpenAPI spec. This
should be fixed, but because of the already-huge scope of this CL
and the rebase complexity this is not in here.

Change-Id: Iec8ea613d06946882426c2f9fad5bda7e8aaf833
Reviewed-on: https://review.monogon.dev/c/monogon/+/639
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>
Reviewed-by: Leopold Schabel <leo@nexantic.com>

diff --git a/metropolis/node/kubernetes/apiserver.go b/metropolis/node/kubernetes/apiserver.go
index cd4ff60..aeaa80e 100644
--- a/metropolis/node/kubernetes/apiserver.go
+++ b/metropolis/node/kubernetes/apiserver.go

@@ -97,7 +97,6 @@
 			pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: s.idCA})),
 		"--enable-admission-plugins=NodeRestriction,PodSecurityPolicy",
 		"--enable-aggregator-routing=true",
-		"--insecure-port=0",
 		fmt.Sprintf("--secure-port=%d", common.KubernetesAPIPort),
 		fmt.Sprintf("--etcd-servers=unix:///%s:0", s.EphemeralConsensusDirectory.ClientSocket.FullPath()),
 		args.FileOpt("--kubelet-client-certificate", "kubelet-client-cert.pem",
@@ -117,6 +116,9 @@
 		"--requestheader-username-headers=X-Remote-User",
 		args.FileOpt("--service-account-key-file", "service-account-pubkey.pem",
 			pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: s.serviceAccountPrivKey})),
+		args.FileOpt("--service-account-signing-key-file", "service-account-signing-key.pem",
+			pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: s.serviceAccountPrivKey})),
+		"--service-account-issuer", "https://metropolis.internal", // TODO: Figure out federation
 		fmt.Sprintf("--service-cluster-ip-range=%v", s.ServiceIPRange.String()),
 		args.FileOpt("--tls-cert-file", "server-cert.pem",
 			pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: s.serverCert})),